Perform the complete forensic analysis of encrypted disks and volumes
protected with desktop and portable versions of BitLocker, PGP and TrueCrypt.
Elcomsoft Forensic Disk Decryptor allows decrypting data from encrypted
containers or mounting encrypted volumes, providing full forensic access to
protected information stored in the three most popular types of crypto
containers. Access to encrypted information is provided in real-time.

Features and Benefits

Decrypts information stored in three most popular crypto containers

Mounts encrypted BitLocker, PGP and TrueCrypt volumes

Supports removable media encrypted with BitLocker To Go

Supports both encrypted containers and full disk encryption

Acquires protection keys from RAM dumps, hibernation files

Extracts all the keys from a memory dump at once if there is more than one
crypto container in the system

Fast acquisition (limited only by disk read speeds)

Zero-footprint operation leaves no traces and requires no modifications to
encrypted volume contents

Recovers and stores original encryption keys

Supports all 32-bit and 64-bit versions of Windows

Access Information Stored in Popular Crypto Containers

ElcomSoft offers investigators a fast, easy way to access encrypted
information stored in crypto containers created by BitLocker, PGP and
TrueCrypt.

Two Access Modes*

Access is provided by either decrypting the entire content of an encrypted
volume or by mounting the volume as a drive letter in unlocked, unencrypted
mode.

Real-Time Access to Encrypted Information

In real-time mode, Elcomsoft Forensic Disk Decryptor mounts the encrypted
volume as a new drive letter on the investigator’s PC. In this mode, forensic
specialists enjoy fast, real-time access to protected information. Information
read from mounted disks and volumes is decrypted on-the-fly in real time.

* Another program Elcomsoft Distributed Password
Recovery allows attacking plain-text passwords protecting the encrypted
containers with a range of advanced attacks including dictionary, mask and
permutation attacks in addition to brute-force.

Zero Footprint Operation

ElcomSoft offers a forensically sound solution. The tool provides true
zero-footprint operation, leaving no traces and making no changes to the
contents of encrypted volumes.

Three Ways to Acquire Encryption Keys

Elcomsoft Forensic Disk Decryptor needs the original encryption keys in order
to access protected information stored in crypto containers. The encryption keys
can be derived from hibernation files or memory dump files acquired while the
encrypted volume was mounted. There are three ways available to acquire the
original encryption keys:

By analyzing the hibernation file (if the PC being analyzed is turned off);

By analyzing a memory dump file *

By performing a FireWire attack ** (PC being analyzed must be running with
encrypted volumes mounted).

* A memory dump of a running PC can be acquired with one of the readily
available forensic tools such as MoonSols Windows Memory Toolkit** A free
tool launched on investigator’s PC is required to perform the FireWire attack
(e.g. Inception)

Acquiring Encryption Keys

Generally, the choice of one of the three attacks depends on the running
state of the PC being analyzed. It also depends on whether or not installation
of a forensic tool is possible on a PC under investigation.

If the PC being investigated is turned off, the encryption keys can be
retrieved from the hibernation file. The encrypted volume must be mounted before
the computer went to sleep. If the volume is dismounted before hibernation, the
encryption keys may not be derived from the hibernation file.

If the PC is turned on, a memory dump can be taken with any forensic tool if
installation of such tool is permitted (e.g. the PC is unlocked and logged-in
account has administrative privileges). The encrypted volume must be mounted at
the time of memory dump acquisition. Good description of this technology (and
complete list of free and commercial memory acquisition tools) is available at
http://www.forensicswiki.org/wiki/Tools:Memory_Imaging.

Finally, if the PC being investigated is turned on but installing forensic
tools is not possible (e.g. the PC is locked or logged-in account lacks
administrative privileges), a remote attack via a FireWire port can be performed
in order to obtain a memory dump. This attack requires the use of a free
third-party tool (such as Inception: http://www.breaknenter.org/projects/inception/),
and offers near 100% results due to the implementation of FireWire protocol that
enables direct memory access. Both the target PC and the computer used for
acquisition must have FireWire (IEEE 1394) ports.

Once the original encryption keys are acquired, Elcomsoft Forensic Disk
Decryptor stores the keys for future access, and offers an option to either
decrypt the entire content of encrypted container or mount the protected disk as
another drive letter for real-time access.

Supported Disk Encryption Tools

Elcomsoft Forensic Disk Decryptor works with encrypted volumes created by
current versions of BitLocker, PGP and TrueCrypt, including removable and flash
storage media encrypted with BitLocker To Go. Supports PGP encrypted containers
and full disk encryption.